Please note that at least two settings are crucial to setting the session time, and maybe three. The two certainly crucial ones are session.gc_maxlifetime and session.cookie_lifetime (where 0 is not the same as some long number). For complete, 100% certainty of allowing long times, it may also be necessary to set the session.save_path, due to varying OS-controled cleanup time on the /tmp directory where session files get stored by default.
–
KzqaiApr 7 '11 at 8:04

session.gc_maxlifetimesession.gc_maxlifetime specifies the number of seconds after which data will be seen as 'garbage' and cleaned up. Garbage collection occurs during session start.

But the garbage collector is only started with a probability of session.gc_probability divided by session.gc_divisor. And using the default values for those options (1 and 100 respectively), the chance is only at 1%.

Well, you could simply adjust these values so that the garbage collector is started more often. But when the garbage collector is started, it will check the validity for every registered session. And that is cost-intensive.

Furthermore, when using PHP's default session.save_handler files, the session data is stored in files in a path specified in session.save_path. With that session handler, the age of the session data is calculated on the file's last modification date and not the last access date:

Note: If you are using the default file-based session handler, your filesystem must keep track of access times (atime). Windows FAT does not so you will have to come up with another way to handle garbage collecting your session if you are stuck with a FAT filesystem or any other filesystem where atime tracking is not available. Since PHP 4.2.3 it has used mtime (modified date) instead of atime. So, you won't have problems with filesystems where atime tracking is not available.

So it additionally might occur that a session data file is deleted while the session itself is still considered as valid because the session data was not updated recently.

And second:

session.cookie_lifetimesession.cookie_lifetime specifies the lifetime of the cookie in seconds which is sent to the browser. […]

Yes, that's right. This only affects the cookie lifetime and the session itself may still be valid. But it's the server's task to invalidate a session, not the client. So this doesn't help anything. In fact, having session.cookie_lifetime set to 0 would make the session’s cookie a real session cookie that is only valid until the browser is closed.

Conclusion / best solution:

The best solution is to implement a session timeout of your own. Use a simple time stamp that denotes the time of the last activity (i.e. request) and update it with every request:

session.gc_maxlifetime should be at least equal to the lifetime of this custom expiration handler (1800 in this example);

if you want to expire the session after 30 minutes of activity instead of after 30 minutes since start, you'll also need to use setcookie with an expire of time()+60*30 to keep the session cookie active.

@Metropolis: Use something like $_SESSION['LAST_ACTIVITY'] similar to $_SESSION['CREATED'] where you store the time of the last activity of the user but update that value with every request. Now if the difference of that time to the current time is larger that 1800 seconds, the session has not been used for more than 30 minutes.
–
GumboAug 9 '10 at 16:37

94

@Gumbo - Very well written. If you had a book i'd buy it.
–
Ash BurlaczenkoAug 10 '10 at 14:44

11

@Gumbo - I´m a bit confused, shouldn´t you use your code in combination with ini_set('session.gc-maxlifetime', 1800)? Otherwise your session information could get destroyed while your session is still supposed to be valid, at least if the ini setting is the standard 24 minutes. Or am I missing something?
–
jeroenOct 27 '10 at 21:05

9

@jeron: Yes, you should. But note that session.gc_maxlifetime depends on the file’s last modification date if the session save handler files is used. So session.gc_maxlifetime should be at least equal to the life time of this custom expiration handler.
–
GumboOct 27 '10 at 21:13

session.gc-maxlifetime is probably the best way to go.
–
PowerlordFeb 6 '09 at 13:45

1

There are some issues with the session cookie lifetime, most notably, it relies on the client to enforce it. The cookie lifetime is there to allow the client to clean up useless/expired cookies, it is not to be confused with anything security related.
–
JaccoMay 15 '12 at 12:32

Is it gc_maxlifetime or gc-maxlifetime. Does it support both underscores and hyphens?
–
Mike CauserAug 17 '12 at 8:25

It's actually easy with a function like the following. It uses database table name 'sessions' with fields 'id' and 'time'.

Every time when the user visits your site or service again you should invoke this function to check if its return value is TRUE. If it's FALSE the user has expired and the session will be destroyed (Note: This function uses a database class to connect and query the database, of course you could also do it inside your function or something like that):

<?php
/***
* Starts a session with a specific timeout and a specific GC probability.
* @param int $timeout The number of seconds until it should time out.
* @param int $probability The probablity, in int percentage, that the garbage
* collection routine will be triggered right now.
* @param strint $cookie_domain The domain path for the cookie.
*/
function session_start_timeout($timeout=5, $probability=100, $cookie_domain='/') {
// Set the max lifetime
ini_set("session.gc_maxlifetime", $timeout);
// Set the session cookie to timout
ini_set("session.cookie_lifetime", $timeout);
// Change the save path. Sessions stored in teh same path
// all share the same lifetime; the lowest lifetime will be
// used for all. Therefore, for this to work, the session
// must be stored in a directory where only sessions sharing
// it's lifetime are. Best to just dynamically create on.
$seperator = strstr(strtoupper(substr(PHP_OS, 0, 3)), "WIN") ? "\\" : "/";
$path = ini_get("session.save_path") . $seperator . "session_" . $timeout . "sec";
if(!file_exists($path)) {
if(!mkdir($path, 600)) {
trigger_error("Failed to create session save path directory '$path'. Check permissions.", E_USER_ERROR);
}
}
ini_set("session.save_path", $path);
// Set the chance to trigger the garbage collection.
ini_set("session.gc_probability", $probability);
ini_set("session.gc_divisor", 100); // Should always be 100
// Start the session!
session_start();
// Renew the time left until this session times out.
// If you skip this, the session will time out based
// on the time when it was created, rather than when
// it was last used.
if(isset($_COOKIE[session_name()])) {
setcookie(session_name(), $_COOKIE[session_name()], time() + $timeout, $cookie_domain);
}
}